Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Lernstick shim-15.6-1 x64 (20220817) #275

Closed
8 tasks done
ronnystandtke opened this issue Aug 17, 2022 · 5 comments
Closed
8 tasks done

Lernstick shim-15.6-1 x64 (20220817) #275

ronnystandtke opened this issue Aug 17, 2022 · 5 comments
Labels
accepted Submission is ready for sysdev

Comments

@ronnystandtke
Copy link

ronnystandtke commented Aug 17, 2022
edited
Loading

Confirm the following are included in your repo, checking each box:

  • completed README.md file with the necessary information
  • shim.efi to be signed
  • public portion of your certificate(s) embedded in shim (the file passed to VENDOR_CERT_FILE)
  • binaries, for which hashes are added to vendor_db ( if you use vendor_db and have hashes allow-listed )
  • any extra patches to shim via your own git tree or as files
  • any extra patches to grub via your own git tree or as files
  • build logs
  • a Dockerfile to reproduce the build of the provided shim EFI binaries

What is the link to your tag in a repo cloned from rhboot/shim-review?

https://github.com/Lernstick/shim-review/tree/lernstick-shim-amd64-20220817

What is the SHA256 hash of your final SHIM binary?

138bcb7ebc81ac44324122b04d0e4dc6aef63d3d7fd04ddaa9d856cde1cde78e shimx64.efi

What is the link to your previous shim review request (if any, otherwise N/A)?

Previous (accepted) submission: #196
@steve-mcintyre
Copy link
Collaborator

Looking:

  • identity verification not needed (Lernstick shim-15.4-6 x64 (20210729) #196)
  • shim reproduces ok here
  • upstream 15.6, no patches
  • includes a CA key with ~9y left, ok. Following a similar strategy to Debian, ok
  • SBAT data looks (mostly!) OK (seel below), including upstream Debian data
  • revocation story looks good
  • kernel sounds ok, borrowed from Debian
  • HSM for key management, ok
  • grub looks (mostly) OK, borrowed from Debian
  • list of grub modules is fine

Issues / queries

  • you mention a Debian grub version 2.06-4, but that doesn't actually exist yet!

@steve-mcintyre steve-mcintyre added the question Reviewer(s) waiting on response label Aug 18, 2022
@ronnystandtke
Copy link
Author

Hi Steve,

Thank you for your review!

We have taken the latest git snapshot of the Debian package, therefore it was build on top of the unreleased 2.06-4.
Because the content of 2.06-4 might change before release and to avoid confusion we are now using 2.06-3 as the base.
The new tag is here (only the grub version numbers have changed):
https://github.com/Lernstick/shim-review/tree/lernstick-shim-amd64-20220819

@steve-mcintyre
Copy link
Collaborator

Yeah, that was exactly my worry on the Debian grub package. Thanks for fixing!

@steve-mcintyre steve-mcintyre removed the question Reviewer(s) waiting on response label Aug 19, 2022
@steve-mcintyre
Copy link
Collaborator

All good now, marking accepted

@steve-mcintyre steve-mcintyre added the accepted Submission is ready for sysdev label Aug 19, 2022
@ronnystandtke
Copy link
Author

Thank you for the review. We just received a signed Shim.

@ronnystandtke ronnystandtke mentioned this issue Jun 20, 2024
Closed
8 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
accepted Submission is ready for sysdev
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ronnystandtke @steve-mcintyre